Insights from the Cisco 2021 Security Outcomes Study

With organizations demanding more agility in the way business is run, the security function has an increasing need to keep up with change. The reasons are all well known. Technology change drives business change, and vice versa, in an increasingly dynamic merry-go-round. Security has to underpin this change to support business outcomes.

In this environment, the Cisco 2021 Security Outcomes Study makes for some interesting reading. It analyzes various security practices, such as the use of well-integrated technology, as they relate to outcomes like achieving executive confidence in the security program.

One of the reasons it is a worthwhile read is because of the double-blind aspect of the report. This cannot be stressed enough. It legitimizes the findings and helps remove any bias. The report also draws on a wide global response, so regional and country responses are available.

The approach of mapping outcomes to practices is novel. I cannot recall seeing a study like this before. Hence, its practical value and interesting results. One immediate observation is that some correlations seem striking at first sight. For example, if you look at Figure 1 of the report, you see how well respondents are succeeding with different outcomes.

Near the top is gaining executive confidence in the security program (EB2). Yet, near the bottom is obtaining peer buy-in (EB3). It would seem that CISOs are happy with their upward-facing communication, but are finding it difficult to work with other colleagues. This almost seems counter-intuitive. Surely speaking with peers would be a great deal easier than gaining the trust of senior executives?

However, it would appear that the age-old issue of getting the board’s attention is being resolved. In a recent Gartner report, top-performing CISOs were all successful in this part of their role.

By contrast, the ability to gain support at the operational level to execute on any change is harder. This may make sense, as a security program comprising many practices and going across all the tiers of the business will require change across all those elements.

Could the inability to get buy-in mean that as a profession we are not agile enough? That security still acts as a blocker? I spoke to a CISO the other day who said that their ambition was to make their security function as agile as possible so that it would only be “one step behind the business.” It won’t be easy, but this must be an objective achieved through a series of steps including: 1) becoming closer to the business, 2) integrating into the planning process, and 3) adopting more flexible solutions that can change without the need for time-consuming implementation programs.

Access the full Cisco 2021 Security Outcomes Study

Going on to the next set of data, Figure 2 demonstrates how strongly specific security practices are followed by organizations, or not. Taking the bottom seven practices, i.e., those which CISOs and other security practitioners are less likely to agree that they follow, and correlating them to the output of Figure 15 of the report, which ranks the practices that are most effective for achieving security outcomes, you can see that almost all of the bottom seven are shown to be the most effective practices for achieving security outcomes.

Take, for example, well-integrated tech (AO1), which is seen in Figure 15 as the second most effective practice for achieving security outcomes. When analyzing each individual security outcome in the report, this practice appears often as an important factor for success. However, the survey suggests that security teams are not currently very confident that they are effectively integrating their tech.

There’s an explanation for this. Historically, security teams often had to react rapidly to the latest threat. This meant implementing the latest solution. Or, perhaps the CISO may have had a policy-oriented role without direct operational control. These types of scenarios have led to a plethora of security solutions in enterprise environments. A classic representation of this is in the SOC, where analysts can be seen looking at multiple screens at any one time. The disparate technologies often work differently and have to be joined together through resource-heavy processes. It has made security harder than necessary.

This is why, often in discussions with CISOs, they are looking for platform-based solutions to release them from this time-absorbing activity and allow them to focus on the most important part of their role, which is aligning with the business. The report findings seem to support the argument that an aim to integrate should be part of any plan going forward. This may not be easy, as it will involve obtaining the necessary financial support from senior executives, but also getting buy-in from peers in other organizational units, which we have seen can be challenging.

Going back to Figure 2, and looking at some of the other security practices that are less likely to be followed by organizations, these include prompt disaster recovery (AO10), the use of automation (AO4), and the use of performance metrics (AO2). It may be possible to also support improvements in these practices if there is an improvement in well-integrated tech. Therefore, moving forward on a plan in one area could bring benefits to other areas, and building in these linkages may help with better security overall.

When building out 2021 strategies, this report can be used to help focus on topics that will have a greater, more positive impact on your organization’s security. It is worth reading the report and taking some time to think about the potential impact these observations may have on plans for the future.

Additional Resources:


Richard Archdeacon

Advisory CISO

Cisco Security